Israeli Software

Circa 2001, still one of the best around on security engineering. Ross Anderson and his publisher Wiley have made this excellent book available online at Security Engineering: A Guide to Building Dependable Distributed Systems.
It's organized as a separate PDF per chapter, so if Nuclear command and control is not your bag, you can jump directly to Protecting e-Commerce systems without killing any trees.

Towards Q4 every year, I start writing MBO's for the new year, it must be something that was burned into my biological EEPROM when I worked at Intel. It's like the storks migrating over Israel from Northern Europe to Africa this time of year.

I try and push back, look at things objectively - what's dying on the vine? Am I on the right track? Am I doing the right things for my clients? Could someone else do my job better? Can I create a new product or service that will add value?

One of the most interesting exercises in any field, especially in technology and fashion is to predict what will be hot. A colleague of mine claims that information security is like women's fashion where people flock like lemmings to certain trends. Last year, bare midriffs were in and this summer they're out. Last year it was application firewalls and this summer it's database monitoring and so forth.

It might be a pretty interesting (although useless) research exercise to track the correlation between fashion trends (numbers of, lifetime of, geographic distribution etc) and information security trends.

What I really want to know is - will people be buying my products and services in 2007/8 or will I be trying to ride my mountain bike up a rocky road with an 18% grade.

I started googling for security trends and I chanced upon an article about global sustainability (there is actually a program at Harvard called " Research and Assessment Systems for Sustainability" ). It sounded interesting so I downloaded the article and read it Shabat morning. Most of it was fairly trivial like "preserving the life support systems of the plant is made more difficult by the rapid and continuing global environmental changes in the air, oceans, land and freshwater systems".

BUT, yesterday was the fifth annversary of 9/1 and this paragraph caught my eye:

"There are also strong counter-currents to global culture that emphasize ethnic,national,and religious distinctiveness,nevermore evident than on September 11,2001,when,in the name of religion, the symbolic elements of a globalized economy and military power were targeted".

Ohkay, it isn't the Muslims trying to get everybody to convert and destroy America - it's religious distinctiveness.

After reading that, I realized that Google isn't going to give me the answers on what will be hot in the infosec market next year. I have now adopted a much simpler algorithm, I built two "strawman" products on paper (one for software defect reduction and another for operational risk mitigation) and I started calling people up and making meetings for lunch. By the end of October, I hope to have a decent picture of the market potential.

It's no secret that for some time now, great products can be developed by small teams with modern tools (.Net, PHP, Ruby on Rails, or Aolserver a few years ago); 3 programmers can conduct a small war of software development.

I play tenor in the JP Big Band, we had our first rehearsal last week after the August hiatus. It was great to be playing together again but some of the numbers were pathetic. A big band is 17 pieces and the potential for chaos is significant.

When you ignore the other guys in your section, play loud, or lose time - you get a train wreck.You can be off on your own, red-hot and having a terrific time but the ensemble is somewhere else and pretty soon it all breaks down. I think Jim McCarthy coined the phrase "programmers in a black hole" to describe developers who are hopelessly lost from the project. That's why software product development is like big band jazz, if you're a developer, product manager or salesman - you gotta keep on listening to the rest of the team or your project will come apart at the seams.

I just read an article in Harvard Business School Working Knowledge site that reports on a results of a formal economic model of the competition between Microsoft and the FOSS movement. The article itself,
entitled: Dynamic Mixed Duopoly: A Model Motivated by Linux vs. Windows
does not seem to reach any new conclusions although it does coin a new buzz-phrase - " demand-side learning" i.e. the ability of end users to modify the source and add value or save money on support costs. They claim that OSS comes from behind in market share and Microsoft benefits from software piracy. I would disagree with the first statement simply because I believe that their model is focussed on the operating system and on the second statement, I can only say that this has been well known for years. When I ran Microsoft Back Office distribution at Bynet Software it was clear that eventually pirated copies resulted in legal licenses further down the road.

There are several flaws in the model:
a. They ignore the huge rise in OSS Web and database applications that run on both the Linux and Microsoft OS platforms. I am certain that the combined MySQL and PostgreSQL install base exceeds Oracle and SQL server.

b. They ignore a fascinating trend, exemplified on sourceforge of growing OSS projects on Microsoft Windows. Over 30% of the projects on sourcforge are on MSFT platforms and the number is growing quickly.

c. They don't get it. That is they ponder at the end of the interview why people do FOSS?
Apparently HBS stopped teaching about the three human motivators: Power, Creativity and The Need to Socialize. FOSS is all about all three.

But who knows, maybe at HBS, the economics researchers dont have to take a basic social science course.

Since 2003, I've been actively involved in implementing extrusion prevention solutions, (extrusion is sensitive data leaving a network without authorization) and it seems to me that there is a good deal of confusion about what extrusion means ("Data Theft" or "Internet Leakage"?), what are the causes (ignorance or premeditation?) and what is the actual economic damage - possibly one of three things:

1) Something to be ignored, being a rare event that happens to other people
2) Cost to the business: Paying lawyers, security consultants, forensic accountants, PR people and a drop in stock price (if the company trades publicly)
3) Cost to the consumers: Who have to deal with an Identity theft event

I think the best way to deal with gray areas like this is to trash the marketing fluff and techno-lust and concentrate building a business case.

We did this recently with some success with a NASDAQ traded tech firm -
using the PTA tool.

You can read their story about building a business case; download the practical threat model and try it out yourself.

Two recent articles on Computerworld online talk about the gray areas.

(BTW, CW online stopped accepting unsolicited articles a few months ago and only work with sponsors and paid writers; their work is still pretty high quality but they don't accept my articles anymore - their loss...)

The Ponemon Institute (Larry Ponemon is one of those guys who write regularly for CW and gets to promote his consulting business...) did a survey and concludes that most companies, don't devote the resources to deal with extrusion even though they acknowledge insider threats.

"Approximately 93% believe that the No. 1 barrier to addressing the data breach risk is the lack of sufficient resources, and 80% cited a lack of leadership, he said. Another factor is that no one person has overall responsibility for managing insider threats, according to 31% of respondents."

Another article by staff writer Jaikumar Vijayan, concludes that data theft is a very small contributor to Identity theft:

"A yearlong study of about 5,000 U.S. consumers by Pleasanton, Calif.-based analyst firm Javelin Strategy & Research; showed that despite recent hype, data breaches were responsible for just 6% of all known cases of identity theft, compared to 30% from incidents like losing one's wallet. The study also showed that less than 1% of all individuals whose data was lost later became victims of ID theft."

In other words, neither the cost to business nor the cost to the consumer of a data theft event are perceived to justify business allocation of resources to deal with the threat.

This underscores the importance of building a business case for dealing with trusted insider threats - there is a lot of technology out there and a multitude of ideas on how to mitigate the threat.

It's no wonder, there are 10 startups biting and scratching for a piece of a $50M niche market, although I betcha that if your name isn't Vontu, you aren't going to get an exit in the near future.

If you still need a good reason for software applications to force change of default factory passwords settings, you should read this story.

I get a daily digest from daveslist, this item came in on Monday Sep 18 - I now realize I should be more diligent in reading the items and taking them seriously.

Date: Mon, 18 Sep 2006 01:41:47 -0700
Subject: Re: [Dailydave] ATM reprogrammed to give out 4 times more money
Cc: dailydave

> 60 seconds with eBay yields the names and model numbers of the so-called "ATM's" that are >currently popular for deployment on private premises. Another 5 minutes with Google yields
> installation manuals, detailing access to the administrative menu and, of course, default
> passcodes.

On 9/15/06, Halvar Flake wrote:
>
> Somebody tell me that the stuff in the subject is a joke.
>
> Cheers,
> Halvar

Well, it is not a joke. You can either download the operator manual for the ATM machine from Google cache or get a copy from a reseller. The manual specifies the default passwords, how to enter diagnostic mode and other helpful things like how to remove the surcharge and to change the denomination of the bill trays.

The hack is simple - get a prepaid debit card, find an ATM with default passwords, go into diagnostic mode and swap a $5 bill tray with $50, withdraw 10 bills and make a 900 percent profit. The operator of the ATM takes the hit, and the perp profits the difference from the bill trays. After exploiting the ATM, change back the settings. The prepaid debit card assures
anonymity.

According to the vendor, Tranax; the company first heard of the denomination-change hack a few years ago, when its ATMs had only a single passcode to access all the management functions; i.e. the service technicans had super user privileges that they could share with a friend. The friend could take out money, split the difference with the technician and the operator of the ATM would be in the dark.

Tranax treated the fraud as a trusted-insider issue, and changed its software to enforce three levels of access, instead of granting all service people (including the person who loads cash) super-user privileges.

It didn't occur to Tranax that the operator of their ATM in a convenience store might just leave all the admin passwords at default values - the case at many Oracle 8i installations. Why should Tranax be different than Oracle?

This week Tranax CEO proclaimed that they will modify software in all new ATMs
There is no way to automatically distribute a mandatory patch to the 75,000 machines in service or force the operator to apply a patch.

Considering their track record, I think these folks should do a practical threat analysis of the machine and it's software and not leave their security software planning to their PR people.

You can view the the Tranax Mini-bank 1500 manual here.

We did a project about a year ago using a number of FOSS technologies to help setup a call center that specializes in outgoing calls to Europe from Israel. It was an interesting debugging and integration exercise for us (which we will have to document in another article) to take Sugar CRM, Linux for workstations and servers, Asterix soft switch and Xphone. We did a fair amount of customization of Sugar CRM but nothing fancy with Asterisk which proved to be a piece of cake to setup.

Like any project of this sort, it was a learning experience and one of us (Yuval) had the good fortune to be invited to submit an article to the local edition in Hebrew of PC Magazine and share knowledge with other folks. The article provides guidance on how to acquire and implement a CRM solution.

Read the article here

AOL has been sued for their privacy breach, I wrote previously that I thought this was more of case of stupidity (posting research records in a public site) than a software vulnerability.

Three AOL members have accused AOL with privacy violation, false advertising and unjust enrichment. I understand privacy violation (maybe) but false advertising and unjust enrichment??

The lawsuit seeks monetary relief for all affected AOL members in the U.S whose search data was disclosed without consent from January 1, 2004 until the present. The plaintiffs also ask the court to instruct AOL not to store or maintain users' web search records, and to destroy the web search records it currently has.

Last week, in its latest search engine usage study, Nielsen/NetRatings reported that in August, people in the U.S ran 18.2 percent fewer queries on AOL's search engine, compared with August 2005.

I doubt their "unjust enrichment" charge is going to stick - either that or the judge is going to have to retain an expert witness at $500/hour to explain why being stupid makes AOL rich.